Any extra benifits running EMET with MBAE

[MCFatTongue]

Hi,

I am currently running MBAE 0.10.0.0300 and EMET 4.1

Is it strictly necessary to run EMET when I'm running MBAE already. Is there anything EMET does that MBAE doesn't.

Any help will be greatly appreciated.

[Durew]

MBAE and EMET complement each other. To say it short: MBAE protects the programs it can protect better, but EMET can protect a lot more programs/processes.
AFAIK: At the moment EMET offers some protection techniques that MBAE does not use, this should change in the future. (As far as I remember a post from pbust.)
So I have decided to use both EMET and MBAE.
 
In the article XiRw mentioned, it is also noted that EMET is still a good program to use. Just that it can be bypassed doesn't make it worthless, no program is perfect. (That's why we use layerd security.)
 

The takeaway from Monday's disclosure should be that EMET remains an effective—but by no means infallible—protection.

 
On the website of hitman pro the word 'exploit' isn't used in the description of hitmanpro.alert. So I wouldn't use hitmanpro.alert for blocking exploits but for the rest, use it, it does other useful things. (Edit: hitmanpro.alert 3 will offer exploit protection, this version is yet to be released at the moment of writing.)
 

As a post from a while back from pbust explains the difference between EMET and MBAE rather well, I'll quote it below:

In terms of comparing MBAE to EMET, let's look first at the differences in the objective.

• EMET is mainly designed to enforce OS protections on third party (i.e. non-Microsoft) applications. So for example you can force non-ASLR compliant apps to use ASLR. It also includes other mitigations which are very nice and handy as well as the certificate trust feature.
• MBAE on the other hand has been designed as a global (i.e. complete, as in you don't need anything else)  multi-layer anti-exploit real-time protection. While some of the mitigations are similar in nature, MBAE is more complete as an anti-exploit as it includes multiple techniques against both stage 1 and stage 2 of the exploit attacks (while EMET is just stage 1). So basically in case something bypasses exploit stage 1 protections with EMET, you are out of luck. With MBAE if some exploit bypasses stage 1 you still have the stage 2 protection layers protecting you as a safety net.

Some other differences are the following:

•  
• MBAE is growing and including EMET protections and even other types of protections not found currently in EMET or MBAE. We keep on adding new techniques every other week to make MBAE even more robust and complete as an anti-exploit.
• EMET’s protections are limited in older Operating Systems such as XP, while MBAE is not. Under XP MBAE is much more effective than EMET. This is especially important for larger companies where they still rely on older OS versions and are much more vulnerable.
• Finally potential bypasses for EMET (there have been a few in the past) do no affect MBAE as we include the exploit stage 2 protections not found in EMET as a safety net.

Having said all that I also have to say that EMET is great and we are great fans of it since the beginning. If you are a security enthusiast or security paranoid you can install both EMET and MBAE and you will have much more protection than having just one or the other. But for the rest of the regular joe blow and gramma users MBAE is much better fitted as it is truly install-and-forget.
 
I hope this helped answer your questions.

 

The white paper about the EMET 4.1 bypass:

http://bromiumlabs.files.wordpress.com/2014/02/bypassing-emet-4-1.pdf

[pbust]

To answer the other part of your original question, EMET has other things that MBAE does not, like the digital certificate validation stuff. But that's really not related to exploits.

 

Both EMET and MBAE have memory protections. Some are similar and some are different. We think ours are more generic and proactive in nature but we also have to add a few more become we can get out of beta.

 

Bug the biggest difference is in the application behavior which MBAE has and EMET doesn't. This is basically an additional layer of protection in case memory protections are bypassed.

[MCFatTongue]

Hi,

 

Thank you all for your detailed explanations, it's much clearer now.  From what you have said I'm going to keep running both MBAE and EMET.

 

Regarding Hitman Pro, I already run Kaspersky Internet Security 2014, MBAM pro, MBAE, EMET and Spyware Blaster, should I be running Hitman pro as well or would you suggest swapping Spyware Blaster for Hitman Pro.

 

Thank you for all your help.

[pbust]

I think you are more than covered. Don't see a need to replace SB.

[Durew]

In addition to XiRw:
In version 3 of hitmanPro.alert an anti-exploit feature will be included. As XiRw correctly noted, this is an upcoming beta version.
Here is the blog-post where it is announced:

http://www.surfright.nl/en/home/press/surfright-announces-alert-3

[ingber]

I think this is a reasonable thread for this query.

 

EMET can have some problems with cygwin:

sourceware.org/ml/cygwin/2013-06/msg00092.html

due to enforcing ASLR

 

Does MBAE also enforce ASLR, potentially interfering with cygwin?

 

[pbust]

Not, should be OK with MBAE.